NetworkTigers explores the topic of cybersecurity and safe water, which made the news roundup last week.
America is home to over 250,000 rivers, making for a total of over 3,500,000 miles of freshwater throughout the nation. The US is also home to the largest freshwater lake system on planet Earth, the Great Lakes. From these lakes, rivers, underground basins and reservoirs, the United States contains more than 7% of the Earth’s renewable freshwater resources. While 7% may seem small, this is proportionately high compared to the estimated 4.3% of the world’s population who lives in America.
Despite this abundance of freshwater, clean drinking water is still in jeopardy in certain areas of the country. One of the greatest risks facing any area’s clean drinking water supply is cyber attack and the threat of remote sabotage. In recent years, the rate of cybersecurity incidents in the US water sector has increased by 78.6%.
Recent cyber attacks on clean water
In the past few years, several cities across America have witnessed disturbing and dangerous cyber attacks that have targeted clean drinking water. Had any of these attacks succeeded in their entirety, scores of people could have been poisoned, often without the source being detected until much later.
- A 2021 attack in the San Francisco Bay area was perpetrated by a hacker who logged into a former staff member’s TeamViewer account, a software that allows employees remote access into the water treatment plant’s network. The hack deleted several necessary programs that treated Bay area drinking water. This cybercrime went undetected until the next day.
- About a month after the Bay area attack, a hacker in Oldsmar, Florida attempted to raise chemical levels in the local drinking water supply to dangerous levels. This attack would have poisoned drinking, cooking, bathing, and medical water supplies for every person in the vicinity. The hacker or hacking group attempted to raise the levels of sodium hydroxide, or lye, but were thwarted by an employee who noticed the breach in real time and was able to reverse the command before the chemical was released into the water supply.
- In Ellsworth, Kansas, a similar attack using remote software was reported when a former employee used their login, which had not been deactivated, in order to shut off the sanitation system for the town’s drinking water.
Factors in cybersecurity and water safety
The US has about 150,000 public water utilities and systems, most of which are serviced or maintained by local municipalities or cities. Because of this, there is not a centralized standard or defined set of cybersecurity practices. Budget cuts, shifting priorities, corruption, uncaring public officials, racial or economic prejudice, and other factors can often allocate funding away from protecting these crucial facilities. However, investing in cybersecurity has never been more critical than at the present moment.
The Cyberspace Solarium Commission, a bipartisan nonprofit, identifies water utilities as one of the top vulnerabilities in the United States when it comes to facing cyber attack from local or foreign actors, alongside the electric grid and areas of the financial and banking system. The Department of Homeland Security and the FBI have both also attempted to raise the alert about the possibility of Russian government sabotage of the US water sector as part of a multi-stage attack.
Common threats to water safety through cyber attack
The Cybersecurity & Infrastructure Security Agency (CISA) has identified some of the most common threats to water utilities in the US. Due to the rise of remote work from the COVID-19 crisis, attempts to hack into the water sector have only continued to rise from players both near and far.
CISA has labeled the following as some of the most problematic cyber threats in today’s water utility landscape:
- Spearfishing, often using phony emails or malicious email attachments, in an attempt to deliver ransomware. This kind of targeting employees is especially dangerous due to the rise of less secure remote work systems.
- Older, under-funded, or outdated systems
- Vulnerable firmware or systems not being frequently updated
- Insider attacks from employees who may hold onto improper credentials, even after being terminated
Attempts to address the growing cyber threat
On Wednesday, the National Association of Water Companies (NAWC) launched their annual Cybersecurity Symposium in Washington, DC. One of the main focuses of the NAWC presentation is the unequal distribution of cybersecurity resources and prioritization across US water systems. The NAWC supports the development of a national standard for cybersecurity to avoid dangerous attacks.
The Biden Administration has also released the Water Sector Action Plan in an attempt to guide municipalities and privately owned utilities towards safer cybersecurity practices. Some of the main priorities advocated for by the Water Sector Action Plan are to reduce the reporting time for incidents, share information with the federal government, and to enlist the help of the EPA in implementing new cybersecurity technology for individual systems.
Moving forward in an uncertain landscape
Local, state, and federal governments need to help water utilities face ever-evolving threats in today’s cyber landscape. An under-funded or under-protected water sector puts everybody at risk. Cybersecurity is the latest frontier that needs support, as the scattered quilt of water utilities scramble to provide safe, clean drinking water to every American.
- How the United States Uses Water
- PROTECTING DRINKING WATER UTILITIES FROM CYBER THREATS
- Hackers Tried to Poison California Water Supply in Major Cyber Attack
- Cybersecurity needs to be top priority in nation’s water utilities | The Hill
- US Water Supply System Being Targeted By Cybercriminals
- Two More Cyber Attacks on US Water Supply Highlights Concerns About Vulnerabilities, but Sensational Headlines Sometimes Overstate the Threat to Public Safety – CPO Magazine
- Opinion | The cybersecurity risk to our water supply is real. We need to prepare. – The Washington Post
- Ongoing Cyber Threats to US Water and Wastewater Systems | CISA
- Biden Administration Seeks To Bolster Defenses Against Cyberattacks On Water Systems
- US unveils plan to improve cyber defenses for water utilities | Reuters